Senior Product Security Program Manager

At Johnson & Johnson, we believe health is everything. Our strength in healthcare innovation empowers us to build a world where complex diseases are prevented, treated, and cured, where treatments are smarter and less invasive, and solutions are personal. Through our expertise in Innovative Medicine and MedTech, we are uniquely positioned to innovate across the full spectrum of healthcare solutions today to deliver the breakthroughs of tomorrow, and profoundly impact health for humanity. Learn more at https://www.jnj.com

Job Function:

Technology Enterprise Strategy & Security

Job Sub Function:

Solution Architecture

Job Category:

Scientific/Technology

All Job Posting Locations:

Cincinnati, Ohio, United States of America, Danvers, Massachusetts, United States of America, Irvine, California, United States of America, Raritan, New Jersey, United States of America, Santa Clara, California, United States of America

Job Description:

We are seeking the best talent for a Senior Product Security Program Manager to join our MedTech Product Security team. The role can be based in Santa Clara or Irvine, CA; Cincinnati, OH; Raritan, NJ; Danvers, MA. Remote work options may be considered on a case-by-case basis and if approved by the Company. This role may require up to 20% travel.

The Senior Product Security Program Manager for Surgery R&D Robotics platforms is responsible for developing and leading the implementation strategy of the global J&J ISRM cybersecurity standards. As the subject matter expert for cybersecurity, you will provide leadership oversight and guide large project teams throughout new product’s development phases, review of product security requirements and recommendations of security design solutions, ensure the team completes Quality documentation, threat modelling, penetration testing, software architecture review and design recommendations, code analysis and other security testing or work as needed.

Additionally, this role will lead teams which are responsible for the multiple surgical robotics post market device activities to include: monitoring of new vulnerabilities, ensuring the product security teams are assisting with patching and remediation plans, as well as responding to all customer security questionnaires and reviewing security language within contractual agreements.

Key Responsibilities:

• Advise and inform R&D stakeholders on cybersecurity standards and best practices
• Support and advise senior management, product management, project management and R&D leaders on cybersecurity related activities and issues
• Continuously review, refine, and review all relevant R&D cybersecurity processes to adapt enterprise requirements
• Assist project teams in the creation of Cyber Security Plans – including overall security design control requirements, patch management strategy and implementation roadmap.
• Ensure project teams consider industry standards for system hardening and secure coding
• Conduct threat modeling (e.g. STRIDE, Attack Trees) and risk assessment workshops
• Define security rule sets and support their implementation in static and dynamic code analyses tools
• Guide and train project teams to ensure direct and indirect security requirements are understood and implemented
• Train and support project teams on definition, execution, and documentation of penetration tests
• Set up and manage an effective vulnerability screening process across products within the BU
• Implement and manage supply chain security through Software Bill-of-Materials (SBOM)
• Support all stakeholders on patch management / vulnerability handling
• Management of cybersecurity findings (internal & external), regular reporting of incidents and metrics (NIST, CVSS Scoring)
• Triggering, supporting and leading the incident management process
• Keeps abreast of information security and business trends in the industry through benchmarking and/or participation in professional association
• Other MedTech cybersecurity related duties as needed

Qualifications:

Required:

• BS/MS degree in STEM (science, technology, engineering, mathematics) or equivalent.
• 10+ years of progressive IT or Cybersecurity responsibilities
• Collaborative and able to effectively interact and communicate with peers, management, and leadership teams on various technical levels
• Proficiency in performing risk and impact assessments and determining treatment strategies
• Familiar with threat modeling, penetration testing, stress testing and vulnerability screening
• Basic understanding of privacy enhancing technologies and regulations such as GDPR
• Familiar with methods and tools of modern software development on different platforms
• Ability to create and deliver cybersecurity awareness campaigns and other communications
• Ability to translate technical security requirements into solutions
• Ability to provide secure coding recommendations
• Ability to lead large projects and proven ability to track to project plan timelines from a security perspective
• Ability to write technical security requirements for embedded systems and web platforms
• Creative problem-solving skills
• Customer focus (internal & external)
• Excellent communication and collaboration skills, able to network, interface and influence at all levels of the organization, cross sector, cross-functionally and globally
• Strong leadership and project management skills
• CISM/CISSP or other security leadership certification

Preferred Skills:

• Direct experience with HIPAA, FDA and other security and privacy governance
• Experience leading or participating in formal security audits (i.e. HITRUST, SOC2, FedRAMP)
• Familiarity with FDA and/or other global regulatory cybersecurity guidance requirements and submission process
• Experience with web applications and server hardening (i.e. AWS, Azure) including knowledge of OWASP Top 10 and blue teaming techniques
• Software development experience

Johnson & Johnson is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status or other characteristics protected by federal, state or local law. We actively seek qualified candidates who are protected veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act.

Johnson and Johnson is committed to providing an interview process that is inclusive of our applicants’ needs. If you are an individual with a disability and would like to request an accommodation, please email the Employee Health Support Center (ra-employeehealthsup@its.jnj.com) or contact AskGS to be directed to your accommodation resource.

#JNJTECH

#LI-HYBRID

The anticipated base pay range for this position is :

$138,000 - $238,000 (Bay Area); $120,000 - $207,000 (all other areas)

Additional Description for Pay Transparency:

The Company maintains highly competitive, performance-based compensation programs. Under current guidelines, this position is eligible for an annual performance bonus in accordance with the terms of the applicable plan. The annual performance bonus is a cash bonus intended to provide an incentive to achieve annual targeted results by rewarding for individual and the corporation’s performance over a calendar/performance year. Bonuses are awarded at the Company’s discretion on an individual basis. Employees and/or eligible dependents may be eligible to participate in the following Company sponsored employee benefit programs: medical, dental, vision, life insurance, short- and long-term disability, business accident insurance, and group legal insurance. Employees may be eligible to participate in the Company’s consolidated retirement plan (pension) and savings plan (401(k)). Employees are eligible for the following time off benefits: Vacation – up to 120 hours per calendar year Sick time - up to 40 hours per calendar year; for employees who reside in the State of Washington – up to 56 hours per calendar year Holiday pay, including Floating Holidays – up to 13 days per calendar year of Work, Personal and Family Time - up to 40 hours per calendar year Additional information can be found through the link below. http://www.careers.jnj.com/employee-benefits The compensation and benefits information set forth in this posting applies to candidates hired in the United States. Candidates hired outside the United States will be eligible for compensation and benefits in accordance with their local market.